A TCAS-II Resolution Advisory Detection Algorithm 


The Traffic Alert and Collision Avoidance System (TCAS) is a family of airborne systems 
designed to reduce the risk of mid-air collisions between aircraft. TCAS II, the current 
generation of TCAS devices, provides resolution advisories that direct pilots to maintain 
or increase vertical separation when aircraft distance and time parameters are beyond 
designed system thresholds. This paper presents a mathematical model of the TCAS II 
Resolution Advisory (RA) logic that assumes accurate aircraft state information. Based on 
this model, an algorithm for RA detection is also presented. This algorithm is analogous 
to a conflict detection algorithm, but instead of predicting loss of separation, it predicts 
resolution advisories. It has been formally verified that for a kinematic model of aircraft 
trajectories, this algorithm completely and correctly characterizes all encounter geometries 
between two aircraft that lead to a resolution advisory within a given lookahead time 
interval. The RA detection algorithm proposed in this paper is a fundamental component 
of a NASA sense and avoid concept for the integration of Unmanned Aircraft Systems in 
civil airspace. 
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Nomenclature 


^"mod^ 

TAU/ 

DMOD^ 

ZTHR^ 

HMDf 

ALIM^ 



Current horizontal component of ownship’s position 
Current ownship’s altitude 

Current horizontal component of ownship’s velocity 
Current ownship’s vertical speed 
Current horizontal component of intruder’s position 
Current intruder’s altitude 

Current horizontal component of intruder’s velocity 

Current intruder’s vertical speed 

Time to closest horizontal point of approach 

Time to co-altitude 

Current ownship’s tau 

Current ownship’s modified tau for sensitivity level t 
RA tau threshold for sensitivity level l 
RA DMOD for sensitivity level i 
RA vertical threshold for sensitivity level l 
RA Horizontal Miss Distance for sensitivity level P 
RA altitude limit for sensitivity level i 


Subscript 


0 

1 
i 


y 


X 


Ownship information 

Intruder information 

Current ownship’s sensitivity level 

Northern component of a position or velocity vector 

Eastern component of a position or velocity vector 
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I. Introduction 


The Unmanned Aircraft Systems (UAS) Integration in the National Airspace System (NAS) is a NASA 
research project that addresses the integration of civil UAS into non-segregated airspace operations. One of 
the major challenges of this integration is the lack of an on-board pilot to comply with the legal requirement 
identified in the US Code of Federal Regulations (CFR) that pilots see and avoid other aircraft in their 
vicinity. As a means of compliance with this legal requirement, the final report of the FAA-sponsored Sense 
and Avoid (SAA) Workshop [1] defines the concept of sense and avoid for remote pilots as “the capability of 
a UAS to remain well clear from and avoid collisions with other airborne traffic.” Hence, collision avoidance 
is a critical element of any sense and avoid concept for the integration of UAS in the NAS. 

The Traffic Alert and Collision Avoidance System (TCAS) is a family of airborne devices that are designed 
to reduce the risk of mid-air collisions between aircraft equipped with operating transponders [2] . TCAS has 
evolved through extensive development and a number of versions since its initial operational evaluation in 
1982. TCAS II, the current generation of TCAS devices, is mandated in the US for aircraft with greater than 
30 seats or a maximum takeoff weight greater than 33,000 pounds. Although it is not required, TCAS II is 
also installed on many turbine-powered general aviation aircraft. Version 7.0 is the current operationally- 
mandated version of TCAS II, and Version 7.1 has been standardized [3]. 

In contrast to TCAS I, the first generation of TCAS devices, TCAS II provides resolution advisories 
(RAs). RAs are visual and vocalized alerts that direct pilots to maintain or increase vertical separation 
with intruders that are considered collision threats. TCAS II resolution advisories can be corrective or 
preventive depending on whether the pilot is expected to change or maintain the aircraft’s current vertical 
speed. Corrective RAs are particularly disruptive to the air traffic system since they may cause drastic 
evasive maneuvers. For this reason, they are intended as a last resort maneuver when all other means of 
separation have failed. 

The Sense and Avoid (SAA) concept for Unmanned Aircraft Systems (UAS) described in [4] rests on 
interoperability principles that take into account both the Air Traffic Control (ATC) environment as well 
as existing systems such as TCAS. Specifically, the concept addresses the determination of well clear values 
that are large enough to avoid issuance of TCAS II resolution advisories. It relies on airborne and ground 
capabilities that predict encounter geometries that will cause an RA. These capabilities allow UAS pilots 
to take non-disruptive preventive actions early enough to avoid issuance of corrective RAs. The main 
contribution of this paper is an algorithm for TCAS II RA detection that can be used to implement those 
SSA airborne and ground capabilities. 

The RA detection algorithm presented in this paper is based on a mathematical model of the TCAS II 
resolution advisory logic that assumes accurate vector state information for two aircraft. It is analogous 
to a conflict detection algorithm but instead of predicting loss of separation, it predicts RAs. It has been 
formally verified in the Program Verification System (PVS) [5] that assuming aircraft linear trajectories, 
the algorithm completely and correctly characterizes all encounter geometries that will cause an RA within 
a given lookahead time interval. The formal development presented in this paper is part of the NASA’s 
Airborne Coordinated Resolution and Detection (ACCoRD) mathematical framework, which is electronically 
available from http://shemesh.larc.nasa.gov/people/cam/ACCoRD. 

The rest of this paper is organized as follows. Section II provides a high level description of the TCAS II 
resolution advisory logic. A mathematical model of this logic is presented in Section III. Section IV proposes 
an algorithm for resolution advisory detection and states its main correctness property. Section V presents 
an algorithm that checks whether a given RA is corrective or preventive. Section VI discusses related work. 
The last section concludes the paper. 

II. TCAS II Resolution Advisory Logic 

TCAS consists of several hardware and software sub-systems. These sub-systems provides means for lim- 
ited surveillance and communication, and perform tasks such as traffic identification, tracking, and collision 
avoidance. This paper focuses on the collision detection sub-system that deals with resolution advisories. 

TCAS collision detection logic uses the concept of tau (r) to estimate the time to closest point of approach 
(CPA) between the ownship and one given traffic aircraft known as intruder. The time tau is defined as 
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range (r) over closure rate , where closure rate is the negative of the range rate (r), i.e., 


r 


T = — 


• i 

r 


(i) 


Both range and range rate are derived from TCAS interrogations of the intruder’s transponder, nominally 
at one-second intervals. The time tau and the actual time to CPA coincide only when the aircraft are on a 
perfect collision course and not accelerating. If the aircraft will merely pass near each other, then tau is only 
an approximation of time to CPA. In this case, tau will decrease to a minimum value shortly before actual 
CPA and then sharply increase until CPA, at which time the value of tau is undefined. 

In the vertical dimension, time to co-altitude and vertical separation are used instead of tau and range. 
Time to co-altitude is sometimes called vertical tau and is computed as vertical separation divided by vertical 
closure rate. In the general case, a resolution advisory is issued when range and vertical separation arc below 
horizontal and vertical distance thresholds called DMOD and ZTHR, respectively, and tau and time to co- 
altitude are below a time threshold called TAU. Since the ratio of range and range rate tends to be lower 
at closer distances, the minimum value that tau will attain in the near future is a time that varies directly 
with the nearness of the encounter. This property of tau means that the selection of a time threshold value, 
i.e., TAU, at which to alert for a collision threat determines not only the time to react to the threat, but 
also the size of protected airspace within which a given threat encounter will cause an alert. 

An effective TCAS logic requires a tradeoff between necessary protection and unnecessary advisories. 
This tradeoff is partly managed by controlling the sensitivity level (SL), which varies with the altitude of the 
ownship. Higher SLs are selected for higher altitudes, where generally speeds are higher and separations are 
larger. Among other things the SL controls the tau thresholds for RA issuance, and therefore the dimensions 
of protected airspace around each TCAS-equippcd aircraft. 

Two problems may arise with use of the simple definition of tau given by Formula (1). The first problem 
involves threat encounters with low range closure rates, and the second problem involves high closure rates 
with large miss distances. TCAS II addresses the low-closure rate problem by using a modified definition of 
tau [3]: 


r 2 - DMOD 2 

^"mod — 


( 2 ) 


rr 


DMOD was designed to provide approximately an RA-threshold amount of reaction time for an intruder 
that accelerated toward the ownship at a sustained 1/3 g [6]. Modified tau values are nearly identical to the 
true value of tau at large ranges and range rates but are smaller, i.e., more conservative, for smaller ranges 
and rates. Formula (2) assumes that the closure rate is not zero and that the current range is greater or 
equal than DMOD. 

TCAS Versions 7.0 and higher address the high-closure-rate, nuisance-RA problem by employing a hori- 
zontal miss distance (HMD) filter [7]. The HMD filter employs a parabolic range tracker to provide projected 
range acceleration as well as projected range and range rate, and uses the range acceleration to detect hor- 
izontal miss distances that are sufficiently large so as not to be a collision threat (range acceleration will 
be zero for non-accelerating aircraft on a collision course, but will be positive if the encounter has a miss 
distance). The HMD filter employs numerous noise filters and maneuver checks whose explanations are 
beyond the scope of this paper, but the end result is that the filter will suppress RA issuances for horizontal 
miss distances at CPA that are approximately equal to or greater than the DMOD values. 


Table 1. TCAS Sensitivity Level Definition and Alarm Thresholds for RAs 


Ownship Altitude 

SL 

TAU 

DMOD 

ZTHR 

ALIM 

HMD 

(feet) 


(sec) 

(nmi) 

(feet) 

(feet) 

(nmi) 

1000 - 2350 

3 

15 

0.20 

600 

300 

0.4 

2350 - 5000 

4 

20 

0.35 

600 

300 

0.57 

5000 -10000 

5 

25 

0.55 

600 

350 

0.74 

10000 - 20000 

6 

30 

0.80 

600 

400 

0.82 

20000 - 42000 

7 

35 

1.10 

700 

600 

0.98 

> 42000 

7 

35 

1.10 

800 

700 

0.98 
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Table 1 shows the altitude bands for each SL and the associated thresholds for RA issuance [2,7]. The 
distance threshold value ALIM is used to determine if a particular RA is corrective or preventive. For 
example, when a TCAS-equipped aircraft is between 20000 and 42000 feet (SL 7), the tau threshold for RA 
issuance is 35 seconds, and generally an RA will be issued if both horizontal and vertical tau fall below this 
value. An RA will also be issued for low vertical rate encounters if the current altitude difference is less than 
the vertical threshold (ZTHR) value of 700 feet. Once TCAS determines that an RA is required, it must 
determine the type of RA needed. In order to do this, TCAS estimates the altitude difference at CPA for 
various RA types; if the altitude difference will be less than the altitude limit (ALIM) value (600 feet in this 
example), then the RA will be corrective (e.g., “Climb” if level), requiring a trajectory change to regain at 
least ALIM feet of vertical separation; otherwise the RA will be preventive (e.g., “Dont Descend” if level), 
requiring no trajectory change. 

The next section presents a mathematical model of the TCAS II RA logic that formalizes the description 
provided above. 


III. Vectorized Model of the TCAS II Resolution Advisory Logic 


While TCAS II uses different mechanisms to track aircraft as accurately as possible, the mathematical 
model presented in this section assumes that accurate aircraft surveillance information is available as hor- 
izontal and vertical components in a 3-dimensional airspace. Through out this paper, letters in bold-face 
denote 2-D vectors. Vector operations such as addition, subtraction, scalar multiplication, dot product, i.e. , 
s • v = s x v x + SyVy , and the norm of a vector, i.e., ||s|| = • s, are defined in a 2-D Euclidean geometry. 

The expression denotes the 2-D right perpendicular of v, i.e., ( v y , — v x ). Furthermore, the function root, 
defined by Formula (3), computes the roots of the quadratic equation ax 2 + b x + c = 0. For completeness, it 
is defined such that it returns the value 0 when the roots are undefined. In this paper, the values returned 
by root are only used in a context where a 0 and b 2 — 4 ac > 0. 


root(a, 6 , c, e) 


- b+£ ^~ iac if a ^ 0 and b 2 - 4 ac > 0, 
0 otherwise. 


( 3 ) 


Assuming constant velocities, the 
t > 0, are given by 


horizontal positions of the ownship and intruder aircraft at a time 


s Q (t) =s 0 + tv 0 , (4) 

Si(t) = Si +tVi, (5) 


respectively. As it simplifies the mathematical development, some definitions in this paper use a relative 
coordinate system where the intruder is static at the center of the system. In this relative system, the ownship 
is located at s = s Q — s* and moves at relative velocity v = v Q — Vj. Therefore, the relative horizontal position 
of the ownship with respect to the traffic aircraft at any time t can be defined as follows. 


s(t) = s + tv. 


( 6 ) 


The range between the aircraft at any time t is given by a 

r(t) = ||s(f)|| = a/PF + 2ts • v + t 2 ||v|| 2 . 


( 7 ) 


Closure rate is the derivative of r(t) with respect to t, i.e., 


r{t) = 


s • V + t ||v || 2 

Nt)ll 


(8) 


Given a relative position s and velocity v, the time of horizontal closest point of approach, denoted t cpa , is 
the time t that satisfies r(t) = 0. Hence, 


to P a(s,v) = 


s • V 
Ilvll2‘ 


( 9 ) 


a In this paper, we assume that a 2-dimensional range is used in the calculation of r and T mo d- This assumption is consistent 
with the use of these values in horizontal threshold checks done by the TCAS II resolution advisory logic. 
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By convention, t opa is defined as 0 when the velocities of the ownship and intruder aircraft are identical, i.e. , 
f cp a(s, v) = 0, if 1 1 v 1 1 2 = 0. 

Given a relative position s and velocity v, Formula (1) and Formula (2) can be written in a vector form 
as follows. 


t(s,v) 


' 7 "mod^( S * J V ) 


_r = r( 0) = ||s|| 

* -(°) ff 

dmod 2 - ||s|| 2 


S • v’ 


(10) 

(ii) 


Formula (1) and Formula (2) are undefined when the closure rate is 0. This happens when both aircraft 
have the same velocity vector, i.e., same direction and same speed, and it also happens when at current time 
the aircraft are at the closest point of approach. In the vector form of these formulas, i.e., Formula (10) and 
Formula (11), the singularity is equivalently expressed as s • v = 0. The dot product s • v also characterizes 
whether the aircraft are horizontally diverging, i.e., s- v > 0, or horizontally converging, i.e., s- v < 0. It can 
be seen from Formula (10) that when the aircraft are converging, r is positive. In the TCAS II RA logic, 
Formula (11) is used in a context where the aircraft are horizontally converging. In that case, modified tau, 
i.e., r mod £, is positive when the current range is greater than DMODf. 

As explained in Section II, the TCAS II RA logic checks the value of r mod against horizontal and vertical 
thresholds to determine if a resolution advisory will be issued. These checks can be mathematically modeled 
using the functions Horizontal _RAf and Vertical_RAf below. 

The function Horizontal JtA^ takes as parameters the relative horizontal position s and velocity v of the 
aircraft. It returns true if, for the given input and sensitivity level £, the horizontal thresholds are satisfied. 


Horizontal_RA^ (s, v) = ||s|| < DMOD,? or (s • v < 0 and T mod f(s,v) < TAU^). (12) 


In order to model the vertical check performed by the TCAS II RA logic, it is necessary to define the 
time to co-altitude f coa . This time satisfies s z +t COBb v z = 0, where s z = s oz — Si Z and v z = v oz — Vi Z . Therefore, 
for a given vertical separation s z and relative non-zero vertical speed v z , 

t C oa.(s z ,v z ) = - — . (13) 

V z 

Similar to the horizontal case, the product s z v z characterizes whether the aircraft are vertically diverging, 
i.e., s z v z > 0, or vertically converging, i.e., s s v z < 0. In the TCAS II RA logic, Formula (13) is used 
in a context where the aircraft are vertically converging. In this case, t coa is always positive. The function 
Vertical_RAf, which returns true when the vertical thresholds are satisfied for a sensitivity level i, is defined 
as follows. 

Vertical JtAf(s z , v z ) = |s z | < ZTHRf or ( s z v z < 0 and t ooa (s z , u z ) < TAlh). (14) 

where s z and v z are, respectively, the vertical separation and the relative vertical velocity of the aircraft. 

In addition to the horizontal and vertical checks, TCAS Version 7.0 introduces a filter that inhibits 
resolution advisories when the projected point of closest approach is larger than a given horizontal miss 
distance. In the formal model presented in this paper, this functionality is accomplished by a state-based 
2-D conflict detection algorithm called CD2Doo. 

The function CD2Doo takes as parameters the relative state of the aircraft, i.e., relative position s and 
relative velocity v, a minimum separation distance D > 0 and a time B > 0. It returns a Boolean value that 
indicates whether or not the aircraft will be within horizontal distance D of one another at any time after 
B along trajectories which are linear projections of their current states. 

CD2D 00 (s,v,D,R) = (||v|| = 0 and ||s|| < D) or 

(|| v|| > 0 and A(s, v,U)>0 and 0(s, v, D, 1) > B), 

where 

A(s, v, D) = H 2 ||v|| 2 — s • v 2- , and (16) 

0(s,v,D,e) = root(||v|| 2 , 2(s • v), ||s|| 2 - Z? 2 ,e). (17) 
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When A(s,v,D) > 0, the function 0 computes the times when the aircraft will loss separation, if e = — 1, 
or regain separation, if e = 1. 

It has been formally proved in the PVS theorem prover that the function CD2DQO completely and correctly 
predicts violations of a minimum distance D after time B , i.e. , the following statement holds. 

Proposition 1. For all vectors s = s 0 — s i; v = v Q — v i; distance D > 0, and time B > 0, CD2D ao {s 1 v , D , B) 
returns true if and only if there exists a time t > B where ||s + tv|| < D . 

Using Horizontal_RA f , Vertical_RAf , and CD2DOO, the function that determines whether or not an RA 
will be issued for the ownship can be defined as follows. 

TCASII _RA(s 0 , S oz , V 0 , V 0 z ? Si , Si z , Vi , Viz ) = 

let S — S Q Si, V — V 0 Vi, S z — S 0 z Sizi ^ z — 'Coz H iz i-H 

Horizontal_RAf (s, v) and (18) 

Vertical_RAf(s z , v z ) and 
0020^(8, v,HMD<,0), 

where £ is the sensitivity level corresponding to s oz and HMDf is the horizontal miss distance for that sensitivity 
level. Furthermore, the function that checks if an RA will be issued for the ownship at a given future time 
t < t c pa (s,v) can be defined as follows. 13 

TCASI I_RA_at (s 0 , s oz , v G , v oz , Si , s zz , Vi , v zz , i) = 

let s = s D -s i,v = v 0 -Vi,s z = s oz -s iz ,v z =v oz -v iz in 

Horizontal_RAf(s + tv, v) and (19) 

Vertical_RA^(s z + tv z , v z ) and 
CD2Doo(s,v,HMD t ,t). 


IV. Resolution Advisory Detection 

In a similar way that a conflict detection algorithm checks whether or not a loss of separation is predicted 
to occur within a period of time, it is possible to design a resolution advisory detection algorithm that checks 
whether or not an RA is predicted to be issued for the ownship within a period of time. This sections 
presents an analytical formulation of such a resolution advisory detection algorithm, which is called RA3D. 

RA3D is a function that takes as parameters the states of the ownship and intruder aircraft and a lookahead 
time interval, and returns a Boolean value that indicates whether an RA is predicted to be issued for the 
ownship within that time. It has been formally proved that, assuming accurate vector information and 
kinematic aircraft trajectories, RA3D correctly and completely characterizes the aircraft states that lead to 
an RA for the ownship within the lookahead time interval. 

In order to define RA3D, it is necessary to first define a function that detects whether a horizontal RA 
will occur between two current or future times. This is accomplished by a function called RA2Df. Then, the 
function RAZTimelnterval^ is defined that characterizes the time interval where the values of the functions 
Vertical_RAf and CD2DOO are set to true. The function RA3D is defined by appropriately calling RA2D^ on 
the interval returned by RAZTimelntervalf . 

IV. A. Characterization of Horizontal RAs 

As illustrated by Formula (12) in Section III, the value of r mod ^(s, v) determines whether there is a horizontal 
RA when the aircraft have horizontal relative position s and horizontal relative velocity v. Thus, the 
minimum value of r mod ^(s+tv, v), where t ranges over the lookahead time interval [B,T], determines whether 
or not a horizontal RA will occur for some time t in this interval. The minimum value of r mod ^ can be 
computed with a concise formula, namely Formula (20), which defines the function Time_Min_TAUmodf . This 

^Formula (19) assumes that the sensitivity level t does not change in the time interval [0, /]. 
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function computes exactly the time t in [B, T] at which r mod f (s + tv, v) attains its minimum value. 


where 


Time_Min_TAUmod^(s, v, B, T) = 


B 

if (s + Bv) • v > 0, 

t*(r min ) 

if A(s,v,DM0Df) < 0, 

T 

if (s + Tv) • v < 0, 

r(°) 

otherwise, 


_ oV /-A(s,v,DM0D £ ) 

Tmin “ ||v|| 2 

t*(t) = max(R,min(T,f cpa (s,v) - *)). 


(20) 


(21) 

(22) 


It should be noted that Formula (21) and Formula (22) are used in Formula (20) only in cases where the 
corresponding conditions imply that || v|| 2 ^ 0 and A(s, v, DMOD^ ) < 0. Hence, the function Time_Min_TAUmod£ 
is well-defined and does not involve divisions by zero or square roots of negative numbers. The function RA2Df 
is defined as follows. 


RA2D^(s, v, B , T) = (A(s, v, DMOD^) > 0 and s + Bv < 0 and s + Tv > 0) or 

let t = Time_Min_TAUmod^(s, v, B, T) in (23) 

Horizontal_RAf(s + tv, v). 


The following proposition, which has been formally proved in the PVS theorem prover, asserts that, for 
a given sensitivity level £, the function RA2D^ characterizes the set of possible relative states that lead to a 
horizontal RA within a lookahead time interval. 


Proposition 2. For all vectors s = s Q — s*, v = v D — v*, and lookahead time interval [ B,T ], RA2Dp(s,v, B,T) 
returns true if and only if there exists a time t £ [B,T\ where Horizontal_RAc(s + tv, v) holds. 

For some applications, it may be necessary to determine not only the existence of an RA within a 
lookahead time interval, but also the time interval when RAs are issued. The following function computes 
such a time interval for horizontal RAs. 


RA2DTimeIntervalf(s, v, B, T) = 
let a = || v|| 2 , 

b = 2(s • v) + TAUf ||v|| 2 , 
c = ||s|| 2 + TAUf (s • v) — DMOD^ in 
if o = 0 and ||s|| < DMOD^ then 
[B,T\ 

else 

let 9 = 0(s, v, DMODf , 1) in 

if ||s|| < DMODf then (24) 

[B,e\ 

elsif (s • v > 0 or b 2 — 4 ac < 0 then 
[T +1,0] 

elsif A(s, v, DMODf) > 0 then 
[root(a, 6, c, —1), 9\ 
else 

[root(a, 6, c, —1), root(a, 6, c, 1)] 

endif . 


7 of 12 


American Institute of Aeronautics and Astronautics 


The following proposition, which has been formally proved in the PVS theorem prover, asserts that, for 
a given sensitivity level £, the function RA2DTimeIntervalf computes a time interval that characterizes the 
times, within a lookahead time interval [ B,T ], at which a horizontal RA will be issued. 

Proposition 3. For all vectors s = s Q — s i, v = v D — Vj, and lookahead time interval [B,T\, 
if RA2DTimeIntervalg(s,v, B,T) returns the time interval [t in ,t mt ], then for all times t G [B,T\, 
Horizontal_RAe(s + iv, v) holds if and only if t G [t in ,t out ], 

IV. B. Characterization of RAs 

As noted above, the functions RA2D^ and RA2DTimeInterval^ can be used to, respectively, detect a horizontal 
RA within a lookahead time interval and compute the times, within the lookahead time interval, when a 
horizontal RA violation will occur. To completely formalize a TCAS II RA detection algorithm, functions 
RA3D and RA3DTimeInterval^ , which are analogous to RA2D^ and RA2DTimeIntervalf, are defined such 
that they take into account both the horizontal and vertical components of the TCAS II RA logic. These 
functions have as parameters the state information of the ownship, i.e. , s Q , s 0Zl v 0 , v oz , the state information 
of the intruder aircraft, i.e., s,, s» z , Vj, Vi z , the lookahead time interval [B, T], and a flag hmdf ? that indicates 
whether or not the horizontal miss distance filter should be used. For RA detection according to the TCAS II 
RA logic, that flag should always be set to true. 

The function RA2DTimeInterval^ computes the times, within the lookahead time interval [B,T\, when 
an RA violation will occur. It is formally defined as follows. 

RA3DT imelntervalf (s c , s oz , v Q , v oz , s* , s iz , v* , v iz , B , T, hmdf ? ) = 

let s = s G s^, v = v D Vj, s z = s oz - s iz , v z = v oz - v iz in 

if hmdf? and not CD2D oc (s, v, HMDe, B) then 
[T,B] 

elsif v z = 0 and |s z | > ZTHR^ then 

[T,B] 

else 

let [t inz , i outz ] = RAZTimelnterval^ (s z , v z , B, T) in 
if f outz < B or T < t inz then 

[T,B] 

else 

let [l in ,l out ] = [max(R,f lnz ),min(T,t outz )], 

[' tinxy,toutxy ] = RA2DTimeInterval^(s, v, B, T), 

[ti,t 2 ] = [max(f in ,min(i out ,t ina .j / )),max(t in ,min(f out ,t outx?/ ))] in (25) 
H linxy ^ Cut xy or loutxy ^ bn or t inX y f out then 

[T,B\ 

if hmdf? and HMD^ < DMODf and 

(s + t inz v) • v > 0 and ||s + i lnz v|| > HMDf then 
[T,B\ 

elsif hmdf? and HMD^ < DMOD^ then 
let 6 = 0(s, v, HMD^, 1), 

t$ = if ||i)|| = 0 then T else max(R, min($, T)) endif, 
ti = min(t 2 ,t 3 ) in 
[li,l4] 

else 

[li,l2] 

endif. 
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The function RAZTimelntervalf used in Formula (25) computes the time interval when vertical separation 
with respect to ZTHRf will be lost within the time interval [ B,T ]. It is defined by Formula (26). 


RAZTimelntervalf (s z , v z , B, T ) 


[B,T\ if v, = 0, 

[ -»ign( U .)g ) sign(^) g )] 0therwis6; 


(26) 


where H = max(ZTHR£, TAlb|u z |) and sign(u z ) denotes the sign of v z , i.e., -1 when v z < 0 and 1 when v z > 0. 

The function RA3D detects RAs by checking the time interval that is returned by RA3DTimeInterval^ , 
where (. is the sensitivity level corresponding to s oz . 


RA3D(s 0 , S oz , V G , V oz , Sj , Si z , Vi , Vi z , B , X 1 ) — 

let [i in ,t„ ut ] = RA3DTimeInterval£(s 0 ,s 0Z ,v 0 ,ti 02 ,s J ,s iz ,v i ,u iz ,B,T, true) in (27) 

tin t 0 nf 


Just as for the rest the mathematical development presented in this paper, the following proposition has 
been formally proved in the PVS theorem prover. It states that the function RA3D characterizes the set of 
aircraft states that will lead to an RA for the ownship within a lookahead time interval assuming that the 
aircraft follow linear projections of their current states and the sensitivity level remains constant. 

Proposition 4. For all ownship states s G , s oz , v Q , v oz , intruder states Sj, Sj Z , Vj, Vi Z , and lookahead time 
interval [B,T\, RA3D(s 0 , s oz , v 0 , v oz , s,, Sj Z , v;, Vi Z , B, T) returns true if and only if there exists at £ [ B,T ] 
where TCASII_RA_at(s 0 , s oz , v a , v oz , Sj, Sj 2 , Vj, Vi Z , t) holds. 


V. Corrective Resolution Advisories 

As explained in Section II, there are two types of resolution advisories: corrective and preventive. Cor- 
rective RAs require a trajectory change by the ownship to regain a minimum altitude limit (ALIM), whose 
value depends on the sensitivity level. This section presents mathematical formulas that determine if a given 
RA is either corrective or preventive. 

The function sep_at, defined by Formula (28), predicts the vertical separation between the aircraft at a 
given time t assuming a target vertical speed v for the ownship. The ownship is assumed to fly at constant 
ground speed and constant vertical acceleration a. Once the target vertical speed v is reached the ownship 
continues to fly at constant vertical speed. The function own_alt_at, defined by Formula (29), computes the 
vertical altitude of the ownship at time t given a target vertical speed v and acceleration a. The parameter e 
specifies a possible direction for the vertical ownship maneuver, which is upward when e = 1 and downward 
when e = — 1. The intruder is assumed to continue its trajectory at its current vertical speed. 


sep_at(s oz , v oz ,s iz ,v iz , v, a , e, t) = 

let o = own_alt_at(s oz , v oz , |u|, a, esign(u), t), 
i = s iz + tv iz in 
e(o-i). 


(28) 


own_alt_at(s oz , v oz , v, a, e, t) = 

let s = stop_accel(u oz , v, a, e, t), 
q = min(t, s), 
l = max(0, t — s) in 

2 + 1 Voz + s ° z + el v - 


(29) 


The function stop_accel computes the time at which the ownship reaches the target vertical speed v. It is 
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defined as follows. 


stop_accel(i> oz , v, a, e, t) = 

if t < 0 or ev oz > v then 0 

ev-v oz 


else 
endif . 


ea 


(30) 


The sense of an RA is computed based on the direction for the ownship maneuver that provides a greater 
vertical separation, with a bias towards the non-crossing direction. The function RA_sense computes such a 
direction, where ALIM^ is the altitude limit for a given sensitivity level £. 

RA.sens e(s oz ,v oz , s iz ,v iz , v, a, t ) = 

let o- j- = own_alt_at(s oz , v oz , v, a, 1 , f), 

04. = own_alt _at(s oz , v oz , v, a, —1, t), 
i — Si z T tVi z , 
u = Of — i, 

d = i — Of in (31) 

if sign(s oz — Si z ) = 1 and u > ALIM^ then 1 
elsif sign(s 02 — Si z ) = —1 and d > ALIM^ then — 1 
elsif u > d then 
else — 1 
endif. 


An RA is corrective if the altitude limit is not cleared when the ownship maneuvers in the direction of 
the RA sense. The Boolean function corrective specifies an algorithm that returns true when a given RA 
is corrective. 

corrective(s G , v 0 , v oz , s», s iz , v iz , v, a) = 

l6"t S — S G S 2 , V — V G V^, S z — S oz Si z , V z — Voz V ^ z , 

t = r mod ^(s,v), ( 32 ) 

e = RA.sens e(s oz ,v oz , s iz ,v iz ,v, a,t) in 

||s|| < DM0D £ or 

(s • v < 0 and e (s z +tv z ) < ALIM^), 
where t is the sensitivity level corresponding to s oz . 


VI. Related Work 

Formal models of TCAS have been proposed before. Leveson et al. provides a complete specification of 
the TCAS II logic in a tabular notation called Requirements State Machine Language (RSML) [8]. Livadas et 
al. presents a high level model of the core components of TCAS using the formalism of Hybrid Input/Output 
Automata (HIOA) [9]. The model presented here is more modest than those models. This paper focuses 
on the collision avoidance logic that deals with resolution advisories and assumes that accurate state vector 
information will be available to sense and avoid systems. A key difference between this work and other models, 
such as those listed above, is the introduction of this vector information, which enables the derivations 
of the concise formulas presented in this paper for computing TCAS II RA information, especially those 
formulas used to analytically detect future RAs. The assumption that accurate state vector information is 
available reduces the complexity in the TCAS II logic concerning aircraft tracking and enables the analytical 
presentation, which is based on vector arithmetic. It should be noted that the algorithm presented in 
Section V projects aircraft vertical trajectories using constant acceleration and a target vertical speed as 
specified in the TCAS II logic, rather than constant vertical speed as specified in [9]. 

Safety properties related to issuance of resolution advisories have been verified by Coen-Porisini et al. [10] 
using symbolic execution and, more recently, by Gotlieb [11] using constraint programming. These works rely 
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on a C implementation of the core TCAS II RA logic that is available at the Software-artifact Infrastructure 
Repository (SIR) maintained by the University of Nebraska-Lincoln. That code deals with high-level aspects 
of the function that computes the sense of an RA, but does not implement the mathematical formulas that 
determine whether or not an RA is issued. 

VII. Conclusion 

This paper presents a formal development that consists of a mathematical model of the TCAS II resolution 
advisory logic and algorithms for detecting RAs within a given lookahead time interval and for checking 
whether a given RA is corrective or not. 

As far as the authors know, an algorithm for detecting resolution advisories has not been proposed before. 
This algorithm is a key component of NASA’s Separation Assurance concept for the integration of UAS in 
the NAS [4]. In particular, it is used to implement airborne and ground capabilities that allow UAS pilots 
to avoid encounter scenarios that are not well-clear vis-a-vis systems such as TCAS. It should be noted that 
the algorithm presented here can be easily parameterized into an algorithm for detecting traffic advisories. 
This is possible since the TCAS II logic for traffic advisories and the logic for resolution advisories mainly 
differ in the values of the time and distance threshold parameters and the use of an horizontal miss distance 
filter. Indeed, the function TA3D defined by Formula (33) detects Traffic Alerts (TAs) within a lookahead 
time interval [B,T], when the threshold values TAUf, DMDD^, and ZTHR^ are taken from Table 2 [2]. In this 
case, the function RA3DTimeIntervaU is called with the parameter corresponding to the horizontal miss 
distance filter hmdf? set to false. 


TA3D(s, 


O 7 °OZ 7 v O 7 u OZ 7 7 °IZ 7 v l 7 U IZ 


Vi, Viz, T) — 


let [£ in , t out ] = RA3DT ime Int erval^ (s 0 , s oz , v 0 , v oz , s*, s iz , v i9 v. 

tin ^ ^nut* 


lz ,B,T, false) in 


(33) 


Table 2. TCAS Sensitivity Level Definition and Alarm Thresholds for TAs 


Ownship Altitude 

(feet) 

SL 

TAU 

(sec) 

DMOD 

(nmi) 

ZTHR 

(feet) 

1000 - 2350 

2 

20 

0.30 

850 

1000 - 2350 

3 

25 

0.33 

850 

2350 - 5000 

4 

30 

0.48 

850 

5000 -10000 

5 

40 

0.75 

850 

10000 - 20000 

6 

45 

1.0 

850 

20000 - 42000 

7 

48 

1.3 

850 

> 42000 

7 

48 

1.3 

1200 


Finally, it is emphasized that the mathematical development presented here has been formalized and 
mechanically verified in PVS. This level of rigor is justified by the safety-critical role that sense- and- avoid 
UAS systems may play in the future airspace system. 
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